Bug Bounty Program Info

We do not want to hide our mistakes, but please allow us to take appropriate measures before disclosing any
vulnerabilities to the outside world.

How can you report?

Good report guidelines include clearly worded descriptions and steps, screenshots and/or video as necessary, provided
in English if possible, and submitted via our submissions form shown below. Please make your submission as soon as
possible after discovering the vulnerability, taking care to include details and necessary steps to repeat.

We review each submission carefully as we take security and privacy very seriously. Reviewing submissions, developing
patches, and testing changes will usually take much longer than finding and submitting bugs, please allow for a
reasonable amount of time between submission and response.

What are the rules?

Do not exploit or leverage any vulnerabilities discovered, for any reason. Demonstrating your discovery via
exploitation or it’s impact is not required for any submissions. If you have inadvertently caused exposure,
disruption, or any other damage then please contact us immediately via the form below.

Bad report guidelines include:

Publicly disclosing vulnerabilities

Copying, changing or deleting data or systems

Causing damage, abuse, spamming

Placing malware

Using denial-of-service or social engineering

Placing a backdoor-using brute force-techniques

Exposing of sensitive or customer data

Causing interruption or impediment of Takeaway’s services and operation

Including third parties in your submissions

Contacting any Takeaway employee directly

Endangering or inhibiting any system or service

Violating Takeaway’s policies (such as, but not limited to, Takeaway’s Terms of Use and Privacy Policy)

What do we do?

Due to the time investment of properly reviewing each submission, we cannot always guarantee a prompt response. Our
goal is an acknowledgement within two weeks of submission, with regular updates once the vulnerability is verified.
Together with you we will decide whether, when, and how to publicly disclose the vulnerability.

Submissions are scored on risk, likeliness to be exploited, and potential impact. Rewards are entirely at Takeaway’s
discretion and subject to change without notice. Upon duplicate submissions from multiple researchers, Takeaway favors
the first submitter and clearest report for the bug in question. Takeaway reserves the right to modify or terminate the
Bug Bounty program at any time.

If you agree to these terms and conditions we will not take any legal action against you. However, please be aware
that you are still subject to applicable laws and regulations, even if Takeaway takes no action in reporting you to the
authorities.

We will treat your submission with confidence and will use your personal data only for taking action on your
submission. We will not share personal data with other companies, unless we are legally required or a court order
requires us to do so. We may have to engage other companies to further investigate your submission. We will make sure
these companies will also keep your data confidential.

Denial of service, phishing, and social engineering attacks are not included and should not be
included in your tests, under any circumstances.

Weak or misconfigured SSL/TLS parameters are out of the bug bounty program's scope and should not be reported.

We discourage use of vulnerability testing tools which can generate significant server load, traffic, or risk of
disruption of any kind.

For newly acquired companies by Takeaway, we do not approve rewards for any submissions within the first six months
of acquisition while we improve and integrate the involved systems. However, you are welcome to submit alerts anyway.

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists.
You are responsible for any tax implications depending on your country of residency and citizenship. There may be
additional restrictions on your ability to participate depending upon your local law.